“Data we encrypt today is still valuable and vulnerable in the future.”
Some truths are hard to hear. This is one: attackers are already stealing encrypted data and planning to decrypt it later, when quantum computers are powerful enough to crack today’s cryptography. This isn’t science fiction. It’s the slow, silent burn of an emerging crisis.
Boards must understand: the risk isn’t theoretical. It’s happening.
Quantum Computing: A New Breed of Threat
Quantum computers aren’t just faster, they’re fundamentally different. While today’s machines take years to brute-force encryption, a future quantum system could do it in minutes. RSA and ECC, the bedrock of our digital security, will collapse under the weight of quantum power.
That’s why attackers are acting now. They’re harvesting sensitive encrypted data, knowing that they may be able to read it in the next five to 15 years.
This tactic has a name: “harvest now, decrypt later.”
Agencies are not waiting for the future, particularly in the US. The National Institute of Standards and Technology (NIST) have already selected post-quantum cryptographic algorithms, and the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance for migration. The message is clear: the race to secure the quantum era has begun.
The Data Most at Risk
Start with high-value, long-life data: personally identifiable information, medical records, financial data and government secrets. This information remains sensitive long after it's created.
Then look at systems that are difficult to update or secure. This includes IoT devices, embedded systems, industrial control systems and legacy platforms. Encryption in these environments is often hardwired, or costly to upgrade.
Add in sectors where the cost of compromise is highest, such as defense, energy, healthcare and banking. If the data lives longer than the algorithm that protects it, it’s in danger.
CISOs need a clear risk map. If encryption were broken tomorrow, what data would be exposed? That knowledge must drive urgency and investment, not only in security, but in resilience.
How Leading Firms Are Responding
The smartest teams aren’t waiting for standards to be finalized. Here are five steps that can be taken today:
- Cryptographic inventory. Mapping every point that uses encryption (TLS, VPNs, S/MIME, digital signatures, certificates) and flagging anything using vulnerable algorithms
- Crypto-agility. Systems must be designed to allow cryptographic components to be swapped out without ripping everything apart, this flexibility is no longer optional
- Hybrid cryptography. These pilots combine classical and post-quantum algorithms, building a bridge to a secure future
- Alignment with public roadmaps. From CISA playbooks to NIST’s PQC algorithm list, forward-thinking entities are syncing efforts to stay ahead
- Procurement pressure. Enterprises are demanding crypto-agility and PQC readiness from vendors, “futureproof or lose the deal” is becoming the standard
Both public agencies and private enterprises understand: agility today is the cost of survival tomorrow.
Communicating Quantum Risk to the Board
Boards don’t need a cryptography lesson. They need a strategy.
Lead with governance. Encryption isn’t an IT detail; it’s a business foundation.
Use timelines. Point to the NIST standards, the CISA directives and the NSA guidance. These aren’t predictions. They are active policies.
Frame crypto-agility as a form of futureproofing. It’s not just technical hygiene, it’s business continuity.
And emphasize the reputational edge. Acting early signals leadership. Inaction signals exposure.
The Window is Open, But Closing
The post-quantum era is coming. But by the time the threat is fully realized, it will be too late to react.
CISOs who start now and who map, test, adapt, will protect tomorrow’s data and lead today’s conversation.
In security, timing is everything. And the clock is ticking.